SUPR3HardenedVerify.cpp@ 54375

Last change on this file since 54375 was 52940, checked in by vboxsync, 10 years ago
Eliminating some more kernel32.dll dependencies, marking APIs we like to use early as OK.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 69.6 KB

Line
1	/* $Id: SUPR3HardenedVerify.cpp 52940 2014-10-03 18:40:54Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Verification of Hardened Installation.
4	*/
5
6	/*
7	* Copyright (C) 2006-2013 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27	/*******************************************************************************
28	* Header Files *
29	*******************************************************************************/
30	#if defined(RT_OS_OS2)
31	# define INCL_BASE
32	# define INCL_ERRORS
33	# include <os2.h>
34	# include <stdio.h>
35	# include <stdlib.h>
36	# include <unistd.h>
37	# include <sys/fcntl.h>
38	# include <sys/errno.h>
39	# include <sys/syslimits.h>
40
41	#elif defined(RT_OS_WINDOWS)
42	# include <iprt/nt/nt-and-windows.h>
43	# ifndef IN_SUP_HARDENED_R3
44	# include <stdio.h>
45	# endif
46
47	#else /* UNIXes */
48	# include <sys/types.h>
49	# include <stdio.h>
50	# include <stdlib.h>
51	# include <dirent.h>
52	# include <dlfcn.h>
53	# include <fcntl.h>
54	# include <limits.h>
55	# include <errno.h>
56	# include <unistd.h>
57	# include <sys/stat.h>
58	# include <sys/time.h>
59	# include <sys/fcntl.h>
60	# include <pwd.h>
61	# ifdef RT_OS_DARWIN
62	# include <mach-o/dyld.h>
63	# endif
64
65	#endif
66
67	#include <VBox/sup.h>
68	#include <VBox/err.h>
69	#include <iprt/asm.h>
70	#include <iprt/ctype.h>
71	#include <iprt/param.h>
72	#include <iprt/path.h>
73	#include <iprt/string.h>
74
75	#include "SUPLibInternal.h"
76	#if defined(RT_OS_WINDOWS) && defined(VBOX_WITH_HARDENING)
77	# define SUPHNTVI_NO_NT_STUFF
78	# include "win/SUPHardenedVerify-win.h"
79	#endif
80
81
82	/*******************************************************************************
83	* Defined Constants And Macros *
84	*******************************************************************************/
85	/** The max path length acceptable for a trusted path. */
86	#define SUPR3HARDENED_MAX_PATH 260U
87
88	#ifdef RT_OS_SOLARIS
89	# define dirfd(d) ((d)->d_fd)
90	#endif
91
92	/** Compare table file names with externally supplied names. */
93	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
94	# define SUP_COMP_FILENAME RTStrICmp
95	#else
96	# define SUP_COMP_FILENAME suplibHardenedStrCmp
97	#endif
98
99
100	/*******************************************************************************
101	* Global Variables *
102	*******************************************************************************/
103	/**
104	* The files that gets verified.
105	*
106	* @todo This needs reviewing against the linux packages.
107	* @todo The excessive use of kSupID_SharedLib needs to be reviewed at some point. For
108	* the time being we're building the linux packages with SharedLib pointing to
109	* AppPrivArch (lazy bird).
110	*/
111	static SUPINSTFILE const g_aSupInstallFiles[] =
112	{
113	/* type, dir, fOpt, "pszFile" */
114	/* ---------------------------------------------------------------------- */
115	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VMMR0.r0" },
116	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDDR0.r0" },
117	{ kSupIFT_Dll, kSupID_AppPrivArch, false, "VBoxDD2R0.r0" },
118
119	#ifdef VBOX_WITH_RAW_MODE
120	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VMMGC.gc" },
121	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDDGC.gc" },
122	{ kSupIFT_Rc, kSupID_AppPrivArch, false, "VBoxDD2GC.gc" },
123	#endif
124
125	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxRT" SUPLIB_DLL_SUFF },
126	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxVMM" SUPLIB_DLL_SUFF },
127	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxREM" SUPLIB_DLL_SUFF },
128	#if HC_ARCH_BITS == 32
129	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM32" SUPLIB_DLL_SUFF },
130	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxREM64" SUPLIB_DLL_SUFF },
131	#endif
132	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD" SUPLIB_DLL_SUFF },
133	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDD2" SUPLIB_DLL_SUFF },
134	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxDDU" SUPLIB_DLL_SUFF },
135
136	//#ifdef VBOX_WITH_DEBUGGER_GUI
137	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg" SUPLIB_DLL_SUFF },
138	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxDbg3" SUPLIB_DLL_SUFF },
139	//#endif
140
141	//#ifdef VBOX_WITH_SHARED_CLIPBOARD
142	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedClipboard" SUPLIB_DLL_SUFF },
143	//#endif
144	//#ifdef VBOX_WITH_SHARED_FOLDERS
145	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedFolders" SUPLIB_DLL_SUFF },
146	//#endif
147	//#ifdef VBOX_WITH_DRAG_AND_DROP
148	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxDragAndDropSvc" SUPLIB_DLL_SUFF },
149	//#endif
150	//#ifdef VBOX_WITH_GUEST_PROPS
151	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestPropSvc" SUPLIB_DLL_SUFF },
152	//#endif
153	//#ifdef VBOX_WITH_GUEST_CONTROL
154	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxGuestControlSvc" SUPLIB_DLL_SUFF },
155	//#endif
156	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHostChannel" SUPLIB_DLL_SUFF },
157	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSharedCrOpenGL" SUPLIB_DLL_SUFF },
158	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhostcrutil" SUPLIB_DLL_SUFF },
159	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLhosterrorspu" SUPLIB_DLL_SUFF },
160	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxOGLrenderspu" SUPLIB_DLL_SUFF },
161
162	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxManage" SUPLIB_EXE_SUFF },
163
164	#ifdef VBOX_WITH_MAIN
165	{ kSupIFT_Exe, kSupID_AppBin, false, "VBoxSVC" SUPLIB_EXE_SUFF },
166	#ifdef RT_OS_WINDOWS
167	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxC" SUPLIB_DLL_SUFF },
168	#else
169	{ kSupIFT_Exe, kSupID_AppPrivArch, false, "VBoxXPCOMIPCD" SUPLIB_EXE_SUFF },
170	{ kSupIFT_Dll, kSupID_SharedLib, false, "VBoxXPCOM" SUPLIB_DLL_SUFF },
171	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxXPCOMIPCC" SUPLIB_DLL_SUFF },
172	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxC" SUPLIB_DLL_SUFF },
173	{ kSupIFT_Dll, kSupID_AppPrivArchComp, false, "VBoxSVCM" SUPLIB_DLL_SUFF },
174	{ kSupIFT_Data, kSupID_AppPrivArchComp, false, "VBoxXPCOMBase.xpt" },
175	#endif
176	#endif
177
178	{ kSupIFT_Dll, kSupID_SharedLib, true, "VRDPAuth" SUPLIB_DLL_SUFF },
179	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxAuth" SUPLIB_DLL_SUFF },
180	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxVRDP" SUPLIB_DLL_SUFF },
181
182	//#ifdef VBOX_WITH_HEADLESS
183	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxHeadless" SUPLIB_EXE_SUFF },
184	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxHeadless" SUPLIB_DLL_SUFF },
185	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxVideoRecFB" SUPLIB_DLL_SUFF },
186	//#endif
187
188	//#ifdef VBOX_WITH_QTGUI
189	{ kSupIFT_Exe, kSupID_AppBin, true, "VirtualBox" SUPLIB_EXE_SUFF },
190	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VirtualBox" SUPLIB_DLL_SUFF },
191	# if !defined(RT_OS_DARWIN) && !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
192	{ kSupIFT_Dll, kSupID_SharedLib, true, "VBoxKeyboard" SUPLIB_DLL_SUFF },
193	# endif
194	//#endif
195
196	//#ifdef VBOX_WITH_VBOXSDL
197	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxSDL" SUPLIB_EXE_SUFF },
198	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxSDL" SUPLIB_DLL_SUFF },
199	//#endif
200
201	//#ifdef VBOX_WITH_WEBSERVICES
202	{ kSupIFT_Exe, kSupID_AppBin, true, "vboxwebsrv" SUPLIB_EXE_SUFF },
203	//#endif
204
205	#ifdef RT_OS_LINUX
206	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxTunctl" SUPLIB_EXE_SUFF },
207	#endif
208
209	//#ifdef VBOX_WITH_NETFLT
210	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetDHCP" SUPLIB_EXE_SUFF },
211	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetDHCP" SUPLIB_DLL_SUFF },
212	//#endif
213
214	//#ifdef VBOX_WITH_LWIP_NAT
215	{ kSupIFT_Exe, kSupID_AppBin, true, "VBoxNetNAT" SUPLIB_EXE_SUFF },
216	{ kSupIFT_Dll, kSupID_AppPrivArch, true, "VBoxNetNAT" SUPLIB_DLL_SUFF },
217	//#endif
218	#if defined(VBOX_WITH_HARDENING) && defined(RT_OS_WINDOWS)
219	# define HARDENED_TESTCASE_BIN_ENTRY(a_szName) \
220	{ kSupIFT_TestExe, kSupID_AppBin, true, a_szName SUPLIB_EXE_SUFF }, \
221	{ kSupIFT_TestDll, kSupID_AppBin, true, a_szName SUPLIB_DLL_SUFF }
222	HARDENED_TESTCASE_BIN_ENTRY("tstMicro"),
223	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletion"),
224	HARDENED_TESTCASE_BIN_ENTRY("tstPDMAsyncCompletionStress"),
225	HARDENED_TESTCASE_BIN_ENTRY("tstVMM"),
226	HARDENED_TESTCASE_BIN_ENTRY("tstVMREQ"),
227	# define HARDENED_TESTCASE_ENTRY(a_szName) \
228	{ kSupIFT_TestExe, kSupID_Testcase, true, a_szName SUPLIB_EXE_SUFF }, \
229	{ kSupIFT_TestDll, kSupID_Testcase, true, a_szName SUPLIB_DLL_SUFF }
230	HARDENED_TESTCASE_ENTRY("tstCFGM"),
231	HARDENED_TESTCASE_ENTRY("tstIntNet-1"),
232	HARDENED_TESTCASE_ENTRY("tstMMHyperHeap"),
233	HARDENED_TESTCASE_ENTRY("tstR0ThreadPreemptionDriver"),
234	HARDENED_TESTCASE_ENTRY("tstRTR0MemUserKernelDriver"),
235	HARDENED_TESTCASE_ENTRY("tstRTR0SemMutexDriver"),
236	HARDENED_TESTCASE_ENTRY("tstRTR0TimerDriver"),
237	HARDENED_TESTCASE_ENTRY("tstSSM"),
238	#endif
239	};
240
241
242	/** Array parallel to g_aSupInstallFiles containing per-file status info. */
243	static SUPVERIFIEDFILE g_aSupVerifiedFiles[RT_ELEMENTS(g_aSupInstallFiles)];
244
245	/** Array index by install directory specifier containing info about verified directories. */
246	static SUPVERIFIEDDIR g_aSupVerifiedDirs[kSupID_End];
247
248
249	/**
250	* Assembles the path to a directory.
251	*
252	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
253	* decides whether it returns or not).
254	*
255	* @param enmDir The directory.
256	* @param pszDst Where to assemble the path.
257	* @param cchDst The size of the buffer.
258	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
259	*/
260	static int supR3HardenedMakePath(SUPINSTDIR enmDir, char *pszDst, size_t cchDst, bool fFatal)
261	{
262	int rc;
263	switch (enmDir)
264	{
265	case kSupID_AppBin: /** @todo fix this AppBin crap (uncertain wtf some binaries actually are installed). */
266	case kSupID_Bin:
267	rc = supR3HardenedPathExecDir(pszDst, cchDst);
268	break;
269	case kSupID_SharedLib:
270	rc = supR3HardenedPathSharedLibs(pszDst, cchDst);
271	break;
272	case kSupID_AppPrivArch:
273	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
274	break;
275	case kSupID_AppPrivArchComp:
276	rc = supR3HardenedPathAppPrivateArch(pszDst, cchDst);
277	if (RT_SUCCESS(rc))
278	{
279	size_t off = suplibHardenedStrLen(pszDst);
280	if (cchDst - off >= sizeof("/components"))
281	suplibHardenedMemCopy(&pszDst[off], "/components", sizeof("/components"));
282	else
283	rc = VERR_BUFFER_OVERFLOW;
284	}
285	break;
286	case kSupID_AppPrivNoArch:
287	rc = supR3HardenedPathAppPrivateNoArch(pszDst, cchDst);
288	break;
289	case kSupID_Testcase:
290	rc = supR3HardenedPathExecDir(pszDst, cchDst);
291	if (RT_SUCCESS(rc))
292	{
293	size_t off = suplibHardenedStrLen(pszDst);
294	if (cchDst - off >= sizeof("/testcase"))
295	suplibHardenedMemCopy(&pszDst[off], "/testcase", sizeof("/testcase"));
296	else
297	rc = VERR_BUFFER_OVERFLOW;
298	}
299	break;
300	default:
301	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
302	"supR3HardenedMakePath: enmDir=%d\n", enmDir);
303	}
304	if (RT_FAILURE(rc))
305	supR3HardenedError(rc, fFatal,
306	"supR3HardenedMakePath: enmDir=%d rc=%d\n", enmDir, rc);
307	return rc;
308	}
309
310
311
312	/**
313	* Assembles the path to a file table entry, with or without the actual filename.
314	*
315	* @returns VINF_SUCCESS on success, some error code on failure (fFatal
316	* decides whether it returns or not).
317	*
318	* @param pFile The file table entry.
319	* @param pszDst Where to assemble the path.
320	* @param cchDst The size of the buffer.
321	* @param fWithFilename If set, the filename is included, otherwise it is omitted (no trailing slash).
322	* @param fFatal Whether failures should be treated as fatal (true) or not (false).
323	*/
324	static int supR3HardenedMakeFilePath(PCSUPINSTFILE pFile, char *pszDst, size_t cchDst, bool fWithFilename, bool fFatal)
325	{
326	/*
327	* Combine supR3HardenedMakePath and the filename.
328	*/
329	int rc = supR3HardenedMakePath(pFile->enmDir, pszDst, cchDst, fFatal);
330	if (RT_SUCCESS(rc) && fWithFilename)
331	{
332	size_t cchFile = suplibHardenedStrLen(pFile->pszFile);
333	size_t off = suplibHardenedStrLen(pszDst);
334	if (cchDst - off >= cchFile + 2)
335	{
336	pszDst[off++] = '/';
337	suplibHardenedMemCopy(&pszDst[off], pFile->pszFile, cchFile + 1);
338	}
339	else
340	rc = supR3HardenedError(VERR_BUFFER_OVERFLOW, fFatal,
341	"supR3HardenedMakeFilePath: pszFile=%s off=%lu\n",
342	pFile->pszFile, (long)off);
343	}
344	return rc;
345	}
346
347
348	/**
349	* Verifies a directory.
350	*
351	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
352	* fFatal is clear and if it's set the function wont return.
353	* @param enmDir The directory specifier.
354	* @param fFatal Whether validation failures should be treated as
355	* fatal (true) or not (false).
356	*/
357	DECLHIDDEN(int) supR3HardenedVerifyFixedDir(SUPINSTDIR enmDir, bool fFatal)
358	{
359	/*
360	* Validate the index just to be on the safe side...
361	*/
362	if (enmDir <= kSupID_Invalid \|\| enmDir >= kSupID_End)
363	return supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
364	"supR3HardenedVerifyDir: enmDir=%d\n", enmDir);
365
366	/*
367	* Already validated?
368	*/
369	if (g_aSupVerifiedDirs[enmDir].fValidated)
370	return VINF_SUCCESS; /** @todo revalidate? */
371
372	/* initialize the entry. */
373	if (g_aSupVerifiedDirs[enmDir].hDir != 0)
374	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
375	"supR3HardenedVerifyDir: hDir=%p enmDir=%d\n",
376	(void *)g_aSupVerifiedDirs[enmDir].hDir, enmDir);
377	g_aSupVerifiedDirs[enmDir].hDir = -1;
378	g_aSupVerifiedDirs[enmDir].fValidated = false;
379
380	/*
381	* Make the path and open the directory.
382	*/
383	char szPath[RTPATH_MAX];
384	int rc = supR3HardenedMakePath(enmDir, szPath, sizeof(szPath), fFatal);
385	if (RT_SUCCESS(rc))
386	{
387	#if defined(RT_OS_WINDOWS)
388	PRTUTF16 pwszPath;
389	rc = RTStrToUtf16(szPath, &pwszPath);
390	if (RT_SUCCESS(rc))
391	{
392	HANDLE hDir = CreateFileW(pwszPath,
393	GENERIC_READ,
394	FILE_SHARE_READ \| FILE_SHARE_DELETE \| FILE_SHARE_WRITE,
395	NULL,
396	OPEN_EXISTING,
397	FILE_ATTRIBUTE_NORMAL \| FILE_FLAG_BACKUP_SEMANTICS,
398	NULL);
399	if (hDir != INVALID_HANDLE_VALUE)
400	{
401	/** @todo check the type */
402	/* That's all on windows, for now at least... */
403	g_aSupVerifiedDirs[enmDir].hDir = (intptr_t)hDir;
404	g_aSupVerifiedDirs[enmDir].fValidated = true;
405	}
406	else if (enmDir == kSupID_Testcase)
407	{
408	g_aSupVerifiedDirs[enmDir].fValidated = true;
409	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
410	}
411	else
412	{
413	int err = RtlGetLastWin32Error();
414	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
415	"supR3HardenedVerifyDir: Failed to open \"%s\": err=%d\n",
416	szPath, err);
417	}
418	RTUtf16Free(pwszPath);
419	}
420	else
421	rc = supR3HardenedError(rc, fFatal,
422	"supR3HardenedVerifyDir: Failed to convert \"%s\" to UTF-16: err=%d\n", szPath, rc);
423
424	#else /* UNIXY */
425	int fd = open(szPath, O_RDONLY, 0);
426	if (fd >= 0)
427	{
428	/*
429	* On unixy systems we'll make sure the directory is owned by root
430	* and not writable by the group and user.
431	*/
432	struct stat st;
433	if (!fstat(fd, &st))
434	{
435
436	if ( st.st_uid == 0
437	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
438	&& S_ISDIR(st.st_mode))
439	{
440	g_aSupVerifiedDirs[enmDir].hDir = fd;
441	g_aSupVerifiedDirs[enmDir].fValidated = true;
442	}
443	else
444	{
445	if (!S_ISDIR(st.st_mode))
446	rc = supR3HardenedError(VERR_NOT_A_DIRECTORY, fFatal,
447	"supR3HardenedVerifyDir: \"%s\" is not a directory\n",
448	szPath, (long)st.st_uid);
449	else if (st.st_uid)
450	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
451	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": not owned by root (st_uid=%ld)\n",
452	szPath, (long)st.st_uid);
453	else
454	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
455	"supR3HardenedVerifyDir: Cannot trust the directory \"%s\": group and/or other writable (st_mode=0%lo)\n",
456	szPath, (long)st.st_mode);
457	close(fd);
458	}
459	}
460	else
461	{
462	int err = errno;
463	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
464	"supR3HardenedVerifyDir: Failed to fstat \"%s\": %s (%d)\n",
465	szPath, strerror(err), err);
466	close(fd);
467	}
468	}
469	else if (enmDir == kSupID_Testcase)
470	{
471	g_aSupVerifiedDirs[enmDir].fValidated = true;
472	rc = VINF_SUCCESS; /* Optional directory, ignore if missing. */
473	}
474	else
475	{
476	int err = errno;
477	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
478	"supR3HardenedVerifyDir: Failed to open \"%s\": %s (%d)\n",
479	szPath, strerror(err), err);
480	}
481	#endif /* UNIXY */
482	}
483
484	return rc;
485	}
486
487
488	#ifdef RT_OS_WINDOWS
489	/**
490	* Opens the file for verification.
491	*
492	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
493	* fFatal is clear and if it's set the function wont return.
494	* @param pFile The file entry.
495	* @param fFatal Whether validation failures should be treated as
496	* kl fatal (true) or not (false).
497	* @param phFile The file handle, set to -1 if we failed to open
498	* the file. The function may return VINF_SUCCESS
499	* and a -1 handle if the file is optional.
500	*/
501	static int supR3HardenedVerifyFileOpen(PCSUPINSTFILE pFile, bool fFatal, intptr_t *phFile)
502	{
503	*phFile = -1;
504
505	char szPath[RTPATH_MAX];
506	int rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
507	if (RT_SUCCESS(rc))
508	{
509	PRTUTF16 pwszPath;
510	rc = RTStrToUtf16(szPath, &pwszPath);
511	if (RT_SUCCESS(rc))
512	{
513	HANDLE hFile = CreateFileW(pwszPath,
514	GENERIC_READ,
515	FILE_SHARE_READ,
516	NULL,
517	OPEN_EXISTING,
518	FILE_ATTRIBUTE_NORMAL,
519	NULL);
520	if (hFile != INVALID_HANDLE_VALUE)
521	{
522	*phFile = (intptr_t)hFile;
523	rc = VINF_SUCCESS;
524	}
525	else
526	{
527	int err = RtlGetLastWin32Error();
528	if ( !pFile->fOptional
529	\|\| ( err != ERROR_FILE_NOT_FOUND
530	&& (err != ERROR_PATH_NOT_FOUND \|\| pFile->enmDir != kSupID_Testcase) ) )
531	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
532	"supR3HardenedVerifyFileInternal: Failed to open '%s': err=%d\n", szPath, err);
533	}
534	RTUtf16Free(pwszPath);
535	}
536	else
537	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: Failed to convert '%s' to UTF-16: %Rrc\n",
538	szPath, rc);
539	}
540	return rc;
541	}
542
543
544	/**
545	* Worker for supR3HardenedVerifyFileInternal.
546	*
547	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
548	* fFatal is clear and if it's set the function wont return.
549	* @param pFile The file entry.
550	* @param pVerified The verification record.
551	* @param fFatal Whether validation failures should be treated as
552	* fatal (true) or not (false).
553	* @param fLeaveFileOpen Whether the file should be left open.
554	*/
555	static int supR3HardenedVerifyFileSignature(PCSUPINSTFILE pFile, PSUPVERIFIEDFILE pVerified, bool fFatal, bool fLeaveFileOpen)
556	{
557	# if defined(VBOX_WITH_HARDENING) && !defined(IN_SUP_R3_STATIC) /* Latter: Not in VBoxCpuReport and friends. */
558
559	/*
560	* Open the file if we have to.
561	*/
562	int rc;
563	intptr_t hFileOpened;
564	intptr_t hFile = pVerified->hFile;
565	if (hFile != -1)
566	hFileOpened = -1;
567	else
568	{
569	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &hFileOpened);
570	if (RT_FAILURE(rc))
571	return rc;
572	hFile = hFileOpened;
573	}
574
575	/*
576	* Verify the signature.
577	*/
578	char szErr[1024];
579	RTERRINFO ErrInfo;
580	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
581
582	uint32_t fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
583	if (pFile->enmType == kSupIFT_Rc)
584	fFlags \|= SUPHNTVI_F_RC_IMAGE;
585
586	rc = supHardenedWinVerifyImageByHandleNoName((HANDLE)hFile, fFlags, &ErrInfo);
587	if (RT_SUCCESS(rc))
588	pVerified->fCheckedSignature = true;
589	else
590	{
591	pVerified->fCheckedSignature = false;
592	rc = supR3HardenedError(rc, fFatal, "supR3HardenedVerifyFileInternal: '%s': Image verify error rc=%Rrc: %s\n",
593	pFile->pszFile, rc, szErr);
594
595	}
596
597	/*
598	* Close the handle if we opened the file and we should close it.
599	*/
600	if (hFileOpened != -1)
601	{
602	if (fLeaveFileOpen && RT_SUCCESS(rc))
603	pVerified->hFile = hFileOpened;
604	else
605	NtClose((HANDLE)hFileOpened);
606	}
607
608	return rc;
609
610	# else /* Not checking signatures. */
611	return VINF_SUCCESS;
612	# endif /* Not checking signatures. */
613	}
614	#endif
615
616
617	/**
618	* Verifies a file entry.
619	*
620	* @returns VINF_SUCCESS on success. On failure, an error code is returned if
621	* fFatal is clear and if it's set the function wont return.
622	*
623	* @param iFile The file table index of the file to be verified.
624	* @param fFatal Whether validation failures should be treated as
625	* fatal (true) or not (false).
626	* @param fLeaveFileOpen Whether the file should be left open.
627	* @param fVerifyAll Set if this is an verify all call and we will
628	* postpone signature checking.
629	*/
630	static int supR3HardenedVerifyFileInternal(int iFile, bool fFatal, bool fLeaveFileOpen, bool fVerifyAll)
631	{
632	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
633	PSUPVERIFIEDFILE pVerified = &g_aSupVerifiedFiles[iFile];
634
635	/*
636	* Already done validation? Do signature validation if we haven't yet.
637	*/
638	if (pVerified->fValidated)
639	{
640	/** @todo revalidate? Check that the file hasn't been replace or similar. */
641	#ifdef RT_OS_WINDOWS
642	if (!pVerified->fCheckedSignature && !fVerifyAll)
643	return supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
644	#endif
645	return VINF_SUCCESS;
646	}
647
648
649	/* initialize the entry. */
650	if (pVerified->hFile != 0)
651	supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
652	"supR3HardenedVerifyFileInternal: hFile=%p (%s)\n",
653	(void *)pVerified->hFile, pFile->pszFile);
654	pVerified->hFile = -1;
655	pVerified->fValidated = false;
656	#ifdef RT_OS_WINDOWS
657	pVerified->fCheckedSignature = false;
658	#endif
659
660	/*
661	* Verify the directory then proceed to open it.
662	* (This'll make sure the directory is opened and that we can (later)
663	* use openat if we wish.)
664	*/
665	int rc = supR3HardenedVerifyFixedDir(pFile->enmDir, fFatal);
666	if (RT_SUCCESS(rc))
667	{
668	#if defined(RT_OS_WINDOWS)
669	rc = supR3HardenedVerifyFileOpen(pFile, fFatal, &pVerified->hFile);
670	if (RT_SUCCESS(rc))
671	{
672	if (!fVerifyAll)
673	rc = supR3HardenedVerifyFileSignature(pFile, pVerified, fFatal, fLeaveFileOpen);
674	if (RT_SUCCESS(rc))
675	{
676	pVerified->fValidated = true;
677	if (!fLeaveFileOpen)
678	{
679	NtClose((HANDLE)pVerified->hFile);
680	pVerified->hFile = -1;
681	}
682	}
683	}
684	#else /* !RT_OS_WINDOWS */
685	char szPath[RTPATH_MAX];
686	rc = supR3HardenedMakeFilePath(pFile, szPath, sizeof(szPath), true /fWithFilename/, fFatal);
687	if (RT_SUCCESS(rc))
688	{
689	int fd = open(szPath, O_RDONLY, 0);
690	if (fd >= 0)
691	{
692	/*
693	* On unixy systems we'll make sure the file is owned by root
694	* and not writable by the group and user.
695	*/
696	struct stat st;
697	if (!fstat(fd, &st))
698	{
699	if ( st.st_uid == 0
700	&& !(st.st_mode & (S_IWGRP \| S_IWOTH))
701	&& S_ISREG(st.st_mode))
702	{
703	/* it's valid. */
704	if (fLeaveFileOpen)
705	pVerified->hFile = fd;
706	else
707	close(fd);
708	pVerified->fValidated = true;
709	}
710	else
711	{
712	if (!S_ISREG(st.st_mode))
713	rc = supR3HardenedError(VERR_IS_A_DIRECTORY, fFatal,
714	"supR3HardenedVerifyFileInternal: \"%s\" is not a regular file\n",
715	szPath, (long)st.st_uid);
716	else if (st.st_uid)
717	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
718	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": not owned by root (st_uid=%ld)\n",
719	szPath, (long)st.st_uid);
720	else
721	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
722	"supR3HardenedVerifyFileInternal: Cannot trust the file \"%s\": group and/or other writable (st_mode=0%lo)\n",
723	szPath, (long)st.st_mode);
724	close(fd);
725	}
726	}
727	else
728	{
729	int err = errno;
730	rc = supR3HardenedError(VERR_ACCESS_DENIED, fFatal,
731	"supR3HardenedVerifyFileInternal: Failed to fstat \"%s\": %s (%d)\n",
732	szPath, strerror(err), err);
733	close(fd);
734	}
735	}
736	else
737	{
738	int err = errno;
739	if (!pFile->fOptional \|\| err != ENOENT)
740	rc = supR3HardenedError(VERR_PATH_NOT_FOUND, fFatal,
741	"supR3HardenedVerifyFileInternal: Failed to open \"%s\": %s (%d)\n",
742	szPath, strerror(err), err);
743	}
744	}
745	#endif /* !RT_OS_WINDOWS */
746	}
747
748	return rc;
749	}
750
751
752	/**
753	* Verifies that the specified table entry matches the given filename.
754	*
755	* @returns VINF_SUCCESS if matching. On mismatch fFatal indicates whether an
756	* error is returned or we terminate the application.
757	*
758	* @param iFile The file table index.
759	* @param pszFilename The filename.
760	* @param fFatal Whether validation failures should be treated as
761	* fatal (true) or not (false).
762	*/
763	static int supR3HardenedVerifySameFile(int iFile, const char *pszFilename, bool fFatal)
764	{
765	PCSUPINSTFILE pFile = &g_aSupInstallFiles[iFile];
766
767	/*
768	* Construct the full path for the file table entry
769	* and compare it with the specified file.
770	*/
771	char szName[RTPATH_MAX];
772	int rc = supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
773	if (RT_FAILURE(rc))
774	return rc;
775	if (SUP_COMP_FILENAME(szName, pszFilename))
776	{
777	/*
778	* Normalize the two paths and compare again.
779	*/
780	rc = VERR_NOT_SAME_DEVICE;
781	#if defined(RT_OS_WINDOWS)
782	LPSTR pszIgnored;
783	char szName2[RTPATH_MAX]; /** @todo Must use UTF-16 here! Code is mixing UTF-8 and native. */
784	if ( GetFullPathName(szName, RT_ELEMENTS(szName2), &szName2[0], &pszIgnored)
785	&& GetFullPathName(pszFilename, RT_ELEMENTS(szName), &szName[0], &pszIgnored))
786	if (!SUP_COMP_FILENAME(szName2, szName))
787	rc = VINF_SUCCESS;
788	#else
789	AssertCompile(RTPATH_MAX >= PATH_MAX);
790	char szName2[RTPATH_MAX];
791	if ( realpath(szName, szName2) != NULL
792	&& realpath(pszFilename, szName) != NULL)
793	if (!SUP_COMP_FILENAME(szName2, szName))
794	rc = VINF_SUCCESS;
795	#endif
796
797	if (RT_FAILURE(rc))
798	{
799	supR3HardenedMakeFilePath(pFile, szName, sizeof(szName), true /fWithFilename/, fFatal);
800	return supR3HardenedError(rc, fFatal,
801	"supR3HardenedVerifySameFile: \"%s\" isn't the same as \"%s\"\n",
802	pszFilename, szName);
803	}
804	}
805
806	/*
807	* Check more stuff like the stat info if it's an already open file?
808	*/
809
810
811
812	return VINF_SUCCESS;
813	}
814
815
816	/**
817	* Verifies a file.
818	*
819	* @returns VINF_SUCCESS on success.
820	* VERR_NOT_FOUND if the file isn't in the table, this isn't ever a fatal error.
821	* On verification failure, an error code will be returned when fFatal is clear,
822	* otherwise the program will be terminated.
823	*
824	* @param pszFilename The filename.
825	* @param fFatal Whether validation failures should be treated as
826	* fatal (true) or not (false).
827	*/
828	DECLHIDDEN(int) supR3HardenedVerifyFixedFile(const char *pszFilename, bool fFatal)
829	{
830	/*
831	* Lookup the file and check if it's the same file.
832	*/
833	const char *pszName = supR3HardenedPathFilename(pszFilename);
834	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
835	if (!SUP_COMP_FILENAME(pszName, g_aSupInstallFiles[iFile].pszFile))
836	{
837	int rc = supR3HardenedVerifySameFile(iFile, pszFilename, fFatal);
838	if (RT_SUCCESS(rc))
839	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, false /* fLeaveFileOpen /, false / fVerifyAll */);
840	return rc;
841	}
842
843	return VERR_NOT_FOUND;
844	}
845
846
847	/**
848	* Verifies a program, worker for supR3HardenedVerifyAll.
849	*
850	* @returns See supR3HardenedVerifyAll.
851	* @param pszProgName See supR3HardenedVerifyAll.
852	* @param fFatal See supR3HardenedVerifyAll.
853	* @param fLeaveOpen The leave open setting used by
854	* supR3HardenedVerifyAll.
855	*/
856	static int supR3HardenedVerifyProgram(const char *pszProgName, bool fFatal, bool fLeaveOpen)
857	{
858	/*
859	* Search the table looking for the executable and the DLL/DYLIB/SO.
860	*/
861	int rc = VINF_SUCCESS;
862	bool fExe = false;
863	bool fDll = false;
864	size_t const cchProgName = suplibHardenedStrLen(pszProgName);
865	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
866	if (!suplibHardenedStrNCmp(pszProgName, g_aSupInstallFiles[iFile].pszFile, cchProgName))
867	{
868	if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Dll
869	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestDll)
870	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_DLL_SUFF))
871	{
872	/* This only has to be found (once). */
873	if (fDll)
874	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
875	"supR3HardenedVerifyProgram: duplicate DLL entry for \"%s\"\n", pszProgName);
876	else
877	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen,
878	true /* fVerifyAll - check sign later, only final process need check it on load. */);
879	fDll = true;
880	}
881	else if ( ( g_aSupInstallFiles[iFile].enmType == kSupIFT_Exe
882	\|\| g_aSupInstallFiles[iFile].enmType == kSupIFT_TestExe)
883	&& !suplibHardenedStrCmp(&g_aSupInstallFiles[iFile].pszFile[cchProgName], SUPLIB_EXE_SUFF))
884	{
885	/* Here we'll have to check that the specific program is the same as the entry. */
886	if (fExe)
887	rc = supR3HardenedError(VERR_INTERNAL_ERROR, fFatal,
888	"supR3HardenedVerifyProgram: duplicate EXE entry for \"%s\"\n", pszProgName);
889	else
890	rc = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, false /* fVerifyAll */);
891	fExe = true;
892
893	char szFilename[RTPATH_MAX];
894	int rc2 = supR3HardenedPathExecDir(szFilename, sizeof(szFilename) - cchProgName - sizeof(SUPLIB_EXE_SUFF));
895	if (RT_SUCCESS(rc2))
896	{
897	suplibHardenedStrCat(szFilename, "/");
898	suplibHardenedStrCat(szFilename, g_aSupInstallFiles[iFile].pszFile);
899	supR3HardenedVerifySameFile(iFile, szFilename, fFatal);
900	}
901	else
902	rc = supR3HardenedError(rc2, fFatal,
903	"supR3HardenedVerifyProgram: failed to query program path: rc=%d\n", rc2);
904	}
905	}
906
907	/*
908	* Check the findings.
909	*/
910	if (RT_SUCCESS(rc))
911	{
912	if (!fDll && !fExe)
913	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
914	"supR3HardenedVerifyProgram: Couldn't find the program \"%s\"\n", pszProgName);
915	else if (!fExe)
916	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
917	"supR3HardenedVerifyProgram: Couldn't find the EXE entry for \"%s\"\n", pszProgName);
918	else if (!fDll)
919	rc = supR3HardenedError(VERR_NOT_FOUND, fFatal,
920	"supR3HardenedVerifyProgram: Couldn't find the DLL entry for \"%s\"\n", pszProgName);
921	}
922	return rc;
923	}
924
925
926	/**
927	* Verifies all the known files (called from SUPR3HardenedMain).
928	*
929	* @returns VINF_SUCCESS on success.
930	* On verification failure, an error code will be returned when fFatal is clear,
931	* otherwise the program will be terminated.
932	*
933	* @param fFatal Whether validation failures should be treated as
934	* fatal (true) or not (false).
935	* @param pszProgName The program name. This is used to verify that
936	* both the executable and corresponding
937	* DLL/DYLIB/SO are valid.
938	*/
939	DECLHIDDEN(int) supR3HardenedVerifyAll(bool fFatal, const char *pszProgName)
940	{
941	/*
942	* On windows
943	*/
944	#if defined(RT_OS_WINDOWS)
945	bool fLeaveOpen = true;
946	#else
947	bool fLeaveOpen = false;
948	#endif
949
950	/*
951	* The verify all the files.
952	*/
953	int rc = VINF_SUCCESS;
954	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
955	{
956	int rc2 = supR3HardenedVerifyFileInternal(iFile, fFatal, fLeaveOpen, true /* fVerifyAll */);
957	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
958	rc = rc2;
959	}
960
961	/*
962	* Verify the program name, that is to say, check that it's in the table
963	* (thus verified above) and verify the signature on platforms where we
964	* sign things.
965	*/
966	int rc2 = supR3HardenedVerifyProgram(pszProgName, fFatal, fLeaveOpen);
967	if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
968	rc2 = rc;
969
970	return rc;
971	}
972
973
974	/**
975	* Copies the N messages into the error buffer and returns @a rc.
976	*
977	* @returns Returns @a rc
978	* @param rc The return code.
979	* @param pErrInfo The error info structure.
980	* @param cMsgs The number of messages in the ellipsis.
981	* @param ... Message parts.
982	*/
983	static int supR3HardenedSetErrorN(int rc, PRTERRINFO pErrInfo, unsigned cMsgs, ...)
984	{
985	if (pErrInfo)
986	{
987	size_t cbErr = pErrInfo->cbMsg;
988	char *pszErr = pErrInfo->pszMsg;
989
990	va_list va;
991	va_start(va, cMsgs);
992	while (cMsgs-- > 0 && cbErr > 0)
993	{
994	const char pszMsg = va_arg(va, const char );
995	size_t cchMsg = VALID_PTR(pszMsg) ? suplibHardenedStrLen(pszMsg) : 0;
996	if (cchMsg >= cbErr)
997	cchMsg = cbErr - 1;
998	suplibHardenedMemCopy(pszErr, pszMsg, cchMsg);
999	pszErr[cchMsg] = '\0';
1000	pszErr += cchMsg;
1001	cbErr -= cchMsg;
1002	}
1003	va_end(va);
1004
1005	pErrInfo->rc = rc;
1006	pErrInfo->fFlags \|= RTERRINFO_FLAGS_SET;
1007	}
1008
1009	return rc;
1010	}
1011
1012
1013	/**
1014	* Copies the three messages into the error buffer and returns @a rc.
1015	*
1016	* @returns Returns @a rc
1017	* @param rc The return code.
1018	* @param pErrInfo The error info structure.
1019	* @param pszMsg1 The first message part.
1020	* @param pszMsg2 The second message part.
1021	* @param pszMsg3 The third message part.
1022	*/
1023	static int supR3HardenedSetError3(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1024	const char pszMsg2, const char pszMsg3)
1025	{
1026	return supR3HardenedSetErrorN(rc, pErrInfo, 3, pszMsg1, pszMsg2, pszMsg3);
1027	}
1028
1029	#ifdef SOME_UNUSED_FUNCTION
1030
1031	/**
1032	* Copies the two messages into the error buffer and returns @a rc.
1033	*
1034	* @returns Returns @a rc
1035	* @param rc The return code.
1036	* @param pErrInfo The error info structure.
1037	* @param pszMsg1 The first message part.
1038	* @param pszMsg2 The second message part.
1039	*/
1040	static int supR3HardenedSetError2(int rc, PRTERRINFO pErrInfo, const char *pszMsg1,
1041	const char *pszMsg2)
1042	{
1043	return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2);
1044	}
1045
1046
1047	/**
1048	* Copies the error message to the error buffer and returns @a rc.
1049	*
1050	* @returns Returns @a rc
1051	* @param rc The return code.
1052	* @param pErrInfo The error info structure.
1053	* @param pszMsg The message.
1054	*/
1055	static int supR3HardenedSetError(int rc, PRTERRINFO pErrInfo, const char *pszMsg)
1056	{
1057	return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg);
1058	}
1059
1060	#endif /* SOME_UNUSED_FUNCTION */
1061
1062	/**
1063	* Output from a successfull supR3HardenedVerifyPathSanity call.
1064	*/
1065	typedef struct SUPR3HARDENEDPATHINFO
1066	{
1067	/** The length of the path in szCopy. */
1068	uint16_t cch;
1069	/** The number of path components. */
1070	uint16_t cComponents;
1071	/** Set if the path ends with slash, indicating that it's a directory
1072	* reference and not a file reference. The slash has been removed from
1073	* the copy. */
1074	bool fDirSlash;
1075	/** The offset where each path component starts, i.e. the char after the
1076	* slash. The array has cComponents + 1 entries, where the final one is
1077	* cch + 1 so that one can always terminate the current component by
1078	* szPath[aoffComponent[i] - 1] = '\0'. */
1079	uint16_t aoffComponents[32+1];
1080	/** A normalized copy of the path.
1081	* Reserve some extra space so we can be more relaxed about overflow
1082	* checks and terminator paddings, especially when recursing. */
1083	char szPath[SUPR3HARDENED_MAX_PATH * 2];
1084	} SUPR3HARDENEDPATHINFO;
1085	/** Pointer to a parsed path. */
1086	typedef SUPR3HARDENEDPATHINFO *PSUPR3HARDENEDPATHINFO;
1087
1088
1089	/**
1090	* Verifies that the path is absolutely sane, it also parses the path.
1091	*
1092	* A sane path starts at the root (w/ drive letter on DOS derived systems) and
1093	* does not have any relative bits (/../) or unnecessary slashes (/bin//ls).
1094	* Sane paths are less or equal to SUPR3HARDENED_MAX_PATH bytes in length. UNC
1095	* paths are not supported.
1096	*
1097	* @returns VBox status code.
1098	* @param pszPath The path to check.
1099	* @param pErrInfo The error info structure.
1100	* @param pInfo Where to return a copy of the path along with
1101	* parsing information.
1102	*/
1103	static int supR3HardenedVerifyPathSanity(const char *pszPath, PRTERRINFO pErrInfo, PSUPR3HARDENEDPATHINFO pInfo)
1104	{
1105	const char *pszSrc = pszPath;
1106	char *pszDst = pInfo->szPath;
1107
1108	/*
1109	* Check that it's an absolute path and copy the volume/root specifier.
1110	*/
1111	#if defined(RT_OS_WINDOWS) \|\| defined(RT_OS_OS2)
1112	if ( !RT_C_IS_ALPHA(pszSrc[0])
1113	\|\| pszSrc[1] != ':'
1114	\|\| !RTPATH_IS_SLASH(pszSrc[2]))
1115	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1116
1117	*pszDst++ = RT_C_TO_UPPER(pszSrc[0]);
1118	*pszDst++ = ':';
1119	*pszDst++ = RTPATH_SLASH;
1120	pszSrc += 3;
1121
1122	#else
1123	if (!RTPATH_IS_SLASH(pszSrc[0]))
1124	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo, "The path is not absolute: '", pszPath, "'");
1125
1126	*pszDst++ = RTPATH_SLASH;
1127	pszSrc += 1;
1128	#endif
1129
1130	/*
1131	* No path specifying the root or something very shortly thereafter will
1132	* be approved of.
1133	*/
1134	if (pszSrc[0] == '\0')
1135	return supR3HardenedSetError3(VERR_SUPLIB_PATH_IS_ROOT, pErrInfo, "The path is root: '", pszPath, "'");
1136	if ( pszSrc[1] == '\0'
1137	\|\| pszSrc[2] == '\0')
1138	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_SHORT, pErrInfo, "The path is too short: '", pszPath, "'");
1139
1140	/*
1141	* Check each component. No parent references or double slashes.
1142	*/
1143	pInfo->cComponents = 0;
1144	pInfo->fDirSlash = false;
1145	while (pszSrc[0])
1146	{
1147	/* Sanity checks. */
1148	if (RTPATH_IS_SLASH(pszSrc[0])) /* can be relaxed if we care. */
1149	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_CLEAN, pErrInfo,
1150	"The path is not clean of double slashes: '", pszPath, "'");
1151	if ( pszSrc[0] == '.'
1152	&& pszSrc[1] == '.'
1153	&& RTPATH_IS_SLASH(pszSrc[2]))
1154	return supR3HardenedSetError3(VERR_SUPLIB_PATH_NOT_ABSOLUTE, pErrInfo,
1155	"The path is not absolute: '", pszPath, "'");
1156
1157	/* Record the start of the component. */
1158	if (pInfo->cComponents >= RT_ELEMENTS(pInfo->aoffComponents) - 1)
1159	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_MANY_COMPONENTS, pErrInfo,
1160	"The path has too many components: '", pszPath, "'");
1161	pInfo->aoffComponents[pInfo->cComponents++] = pszDst - &pInfo->szPath[0];
1162
1163	/* Traverse to the end of the component, copying it as we go along. */
1164	while (pszSrc[0])
1165	{
1166	if (RTPATH_IS_SLASH(pszSrc[0]))
1167	{
1168	pszSrc++;
1169	if (*pszSrc)
1170	*pszDst++ = RTPATH_SLASH;
1171	else
1172	pInfo->fDirSlash = true;
1173	break;
1174	}
1175	pszDst++ = pszSrc++;
1176	if ((uintptr_t)(pszDst - &pInfo->szPath[0]) >= SUPR3HARDENED_MAX_PATH)
1177	return supR3HardenedSetError3(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1178	"The path is too long: '", pszPath, "'");
1179	}
1180	}
1181
1182	/* Terminate the string and enter its length. */
1183	pszDst[0] = '\0';
1184	pszDst[1] = '\0'; /* for aoffComponents */
1185	pInfo->cch = (uint16_t)(pszDst - &pInfo->szPath[0]);
1186	pInfo->aoffComponents[pInfo->cComponents] = pInfo->cch + 1;
1187
1188	return VINF_SUCCESS;
1189	}
1190
1191
1192	/**
1193	* The state information collected by supR3HardenedVerifyFsObject.
1194	*
1195	* This can be used to verify that a directory we've opened for enumeration is
1196	* the same as the one that supR3HardenedVerifyFsObject just verified. It can
1197	* equally be used to verify a native specfied by the user.
1198	*/
1199	typedef struct SUPR3HARDENEDFSOBJSTATE
1200	{
1201	#ifdef RT_OS_WINDOWS
1202	/** Not implemented for windows yet. */
1203	char chTodo;
1204	#else
1205	/** The stat output. */
1206	struct stat Stat;
1207	#endif
1208	} SUPR3HARDENEDFSOBJSTATE;
1209	/** Pointer to a file system object state. */
1210	typedef SUPR3HARDENEDFSOBJSTATE *PSUPR3HARDENEDFSOBJSTATE;
1211	/** Pointer to a const file system object state. */
1212	typedef SUPR3HARDENEDFSOBJSTATE const *PCSUPR3HARDENEDFSOBJSTATE;
1213
1214
1215	/**
1216	* Query information about a file system object by path.
1217	*
1218	* @returns VBox status code, error buffer filled on failure.
1219	* @param pszPath The path to the object.
1220	* @param pFsObjState Where to return the state information.
1221	* @param pErrInfo The error info structure.
1222	*/
1223	static int supR3HardenedQueryFsObjectByPath(char const *pszPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState, PRTERRINFO pErrInfo)
1224	{
1225	#if defined(RT_OS_WINDOWS)
1226	/** @todo Windows hardening. */
1227	pFsObjState->chTodo = 0;
1228	return VINF_SUCCESS;
1229
1230	#else
1231	/*
1232	* Stat the object, do not follow links.
1233	*/
1234	if (lstat(pszPath, &pFsObjState->Stat) != 0)
1235	{
1236	/* Ignore access errors */
1237	if (errno != EACCES)
1238	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1239	5, "stat failed with ", strerror(errno), " on: '", pszPath, "'");
1240	}
1241
1242	/*
1243	* Read ACLs.
1244	*/
1245	/** @todo */
1246
1247	return VINF_SUCCESS;
1248	#endif
1249	}
1250
1251
1252	/**
1253	* Query information about a file system object by native handle.
1254	*
1255	* @returns VBox status code, error buffer filled on failure.
1256	* @param hNative The native handle to the object @a pszPath
1257	* specifies and this should be verified to be the
1258	* same file system object.
1259	* @param pFsObjState Where to return the state information.
1260	* @param pszPath The path to the object. (For the error message
1261	* only.)
1262	* @param pErrInfo The error info structure.
1263	*/
1264	static int supR3HardenedQueryFsObjectByHandle(RTHCUINTPTR hNative, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1265	char const *pszPath, PRTERRINFO pErrInfo)
1266	{
1267	#if defined(RT_OS_WINDOWS)
1268	/** @todo Windows hardening. */
1269	pFsObjState->chTodo = 0;
1270	return VINF_SUCCESS;
1271
1272	#else
1273	/*
1274	* Stat the object, do not follow links.
1275	*/
1276	if (fstat((int)hNative, &pFsObjState->Stat) != 0)
1277	return supR3HardenedSetErrorN(VERR_SUPLIB_STAT_FAILED, pErrInfo,
1278	5, "fstat failed with ", strerror(errno), " on '", pszPath, "'");
1279
1280	/*
1281	* Read ACLs.
1282	*/
1283	/** @todo */
1284
1285	return VINF_SUCCESS;
1286	#endif
1287	}
1288
1289
1290	/**
1291	* Verifies that the file system object indicated by the native handle is the
1292	* same as the one @a pFsObjState indicates.
1293	*
1294	* @returns VBox status code, error buffer filled on failure.
1295	* @param pFsObjState1 File system object information/state by path.
1296	* @param pFsObjState2 File system object information/state by handle.
1297	* @param pszPath The path to the object @a pFsObjState
1298	* describes. (For the error message.)
1299	* @param pErrInfo The error info structure.
1300	*/
1301	static int supR3HardenedIsSameFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState1, PCSUPR3HARDENEDFSOBJSTATE pFsObjState2,
1302	const char *pszPath, PRTERRINFO pErrInfo)
1303	{
1304	#if defined(RT_OS_WINDOWS)
1305	/** @todo Windows hardening. */
1306	return VINF_SUCCESS;
1307
1308	#elif defined(RT_OS_OS2)
1309	return VINF_SUCCESS;
1310
1311	#else
1312	/*
1313	* Compare the ino+dev, then the uid+gid and finally the important mode
1314	* bits. Technically the first one should be enough, but we're paranoid.
1315	*/
1316	if ( pFsObjState1->Stat.st_ino != pFsObjState2->Stat.st_ino
1317	\|\| pFsObjState1->Stat.st_dev != pFsObjState2->Stat.st_dev)
1318	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1319	"The native handle is not the same as '", pszPath, "' (ino/dev)");
1320	if ( pFsObjState1->Stat.st_uid != pFsObjState2->Stat.st_uid
1321	\|\| pFsObjState1->Stat.st_gid != pFsObjState2->Stat.st_gid)
1322	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1323	"The native handle is not the same as '", pszPath, "' (uid/gid)");
1324	if ( (pFsObjState1->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH))
1325	!= (pFsObjState2->Stat.st_mode & (S_IFMT \| S_IWUSR \| S_IWGRP \| S_IWOTH)))
1326	return supR3HardenedSetError3(VERR_SUPLIB_NOT_SAME_OBJECT, pErrInfo,
1327	"The native handle is not the same as '", pszPath, "' (mode)");
1328	return VINF_SUCCESS;
1329	#endif
1330	}
1331
1332
1333	/**
1334	* Verifies a file system object (file or directory).
1335	*
1336	* @returns VBox status code, error buffer filled on failure.
1337	* @param pFsObjState The file system object information/state to be
1338	* verified.
1339	* @param fDir Whether this is a directory or a file.
1340	* @param fRelaxed Whether we can be more relaxed about this
1341	* directory (only used for grand parent
1342	* directories).
1343	* @param pszPath The path to the object. For error messages and
1344	* securing a couple of hacks.
1345	* @param pErrInfo The error info structure.
1346	*/
1347	static int supR3HardenedVerifyFsObject(PCSUPR3HARDENEDFSOBJSTATE pFsObjState, bool fDir, bool fRelaxed,
1348	const char *pszPath, PRTERRINFO pErrInfo)
1349	{
1350	#if defined(RT_OS_WINDOWS)
1351	/** @todo Windows hardening. */
1352	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1353	return VINF_SUCCESS;
1354
1355	#elif defined(RT_OS_OS2)
1356	/* No hardening here - it's a single user system. */
1357	NOREF(pFsObjState); NOREF(fDir); NOREF(fRelaxed); NOREF(pszPath); NOREF(pErrInfo);
1358	return VINF_SUCCESS;
1359
1360	#else
1361	/*
1362	* The owner must be root.
1363	*
1364	* This can be extended to include predefined system users if necessary.
1365	*/
1366	if (pFsObjState->Stat.st_uid != 0)
1367	return supR3HardenedSetError3(VERR_SUPLIB_OWNER_NOT_ROOT, pErrInfo, "The owner is not root: '", pszPath, "'");
1368
1369	/*
1370	* The object type must be directory or file, no symbolic links or other
1371	* risky stuff (sorry dude, but we're paranoid on purpose here).
1372	*/
1373	if ( !S_ISDIR(pFsObjState->Stat.st_mode)
1374	&& !S_ISREG(pFsObjState->Stat.st_mode))
1375	{
1376	if (S_ISLNK(pFsObjState->Stat.st_mode))
1377	return supR3HardenedSetError3(VERR_SUPLIB_SYMLINKS_ARE_NOT_PERMITTED, pErrInfo,
1378	"Symlinks are not permitted: '", pszPath, "'");
1379	return supR3HardenedSetError3(VERR_SUPLIB_NOT_DIR_NOT_FILE, pErrInfo,
1380	"Not regular file or directory: '", pszPath, "'");
1381	}
1382	if (fDir != !!S_ISDIR(pFsObjState->Stat.st_mode))
1383	{
1384	if (S_ISDIR(pFsObjState->Stat.st_mode))
1385	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1386	"Expected file but found directory: '", pszPath, "'");
1387	return supR3HardenedSetError3(VERR_SUPLIB_IS_FILE, pErrInfo,
1388	"Expected directory but found file: '", pszPath, "'");
1389	}
1390
1391	/*
1392	* The group does not matter if it does not have write access, if it has
1393	* write access it must be group 0 (root/wheel/whatever).
1394	*
1395	* This can be extended to include predefined system groups or groups that
1396	* only root is member of.
1397	*/
1398	if ( (pFsObjState->Stat.st_mode & S_IWGRP)
1399	&& pFsObjState->Stat.st_gid != 0)
1400	{
1401	#ifdef RT_OS_DARWIN
1402	/* HACK ALERT: On Darwin /Applications is root:admin with admin having
1403	full access. So, to work around we relax the hardening a bit and
1404	permit grand parents and beyond to be group writable by admin. */
1405	/** @todo dynamically resolve the admin group? */
1406	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 80 /admin/ \|\| suplibHardenedStrCmp(pszPath, "/Applications");
1407
1408	#elif defined(RT_OS_FREEBSD)
1409	/* HACK ALERT: PC-BSD 9 has group-writable /usr/pib directory which is
1410	similar to /Applications on OS X (see above).
1411	On FreeBSD root is normally the only member of this group, on
1412	PC-BSD the default user is a member. */
1413	/** @todo dynamically resolve the operator group? */
1414	bool fBad = !fRelaxed \|\| pFsObjState->Stat.st_gid != 5 /operator/ \|\| suplibHardenedStrCmp(pszPath, "/usr/pbi");
1415	NOREF(fRelaxed);
1416	#else
1417	NOREF(fRelaxed);
1418	bool fBad = true;
1419	#endif
1420	if (fBad)
1421	return supR3HardenedSetError3(VERR_SUPLIB_WRITE_NON_SYS_GROUP, pErrInfo,
1422	"An unknown (and thus untrusted) group has write access to '", pszPath,
1423	"' and we therefore cannot trust the directory content or that of any subdirectory");
1424	}
1425
1426	/*
1427	* World must not have write access. There is no relaxing this rule.
1428	*/
1429	if (pFsObjState->Stat.st_mode & S_IWOTH)
1430	return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo,
1431	"World writable: '", pszPath, "'");
1432
1433	/*
1434	* Check the ACLs.
1435	*/
1436	/** @todo */
1437
1438	return VINF_SUCCESS;
1439	#endif
1440	}
1441
1442
1443	/**
1444	* Verifies that the file system object indicated by the native handle is the
1445	* same as the one @a pFsObjState indicates.
1446	*
1447	* @returns VBox status code, error buffer filled on failure.
1448	* @param hNative The native handle to the object @a pszPath
1449	* specifies and this should be verified to be the
1450	* same file system object.
1451	* @param pFsObjState The information/state returned by a previous
1452	* query call.
1453	* @param pszPath The path to the object @a pFsObjState
1454	* describes. (For the error message.)
1455	* @param pErrInfo The error info structure.
1456	*/
1457	static int supR3HardenedVerifySameFsObject(RTHCUINTPTR hNative, PCSUPR3HARDENEDFSOBJSTATE pFsObjState,
1458	const char *pszPath, PRTERRINFO pErrInfo)
1459	{
1460	SUPR3HARDENEDFSOBJSTATE FsObjState2;
1461	int rc = supR3HardenedQueryFsObjectByHandle(hNative, &FsObjState2, pszPath, pErrInfo);
1462	if (RT_SUCCESS(rc))
1463	rc = supR3HardenedIsSameFsObject(pFsObjState, &FsObjState2, pszPath, pErrInfo);
1464	return rc;
1465	}
1466
1467
1468	/**
1469	* Does the recursive directory enumeration.
1470	*
1471	* @returns VBox status code, error buffer filled on failure.
1472	* @param pszDirPath The path buffer containing the subdirectory to
1473	* enumerate followed by a slash (this is never
1474	* the root slash). The buffer is RTPATH_MAX in
1475	* size and anything starting at @a cchDirPath
1476	* - 1 and beyond is scratch space.
1477	* @param cchDirPath The length of the directory path + slash.
1478	* @param pFsObjState Pointer to the file system object state buffer.
1479	* On input this will hold the stats for
1480	* the directory @a pszDirPath indicates and will
1481	* be used to verified that we're opening the same
1482	* thing.
1483	* @param fRecursive Whether to recurse into subdirectories.
1484	* @param pErrInfo The error info structure.
1485	*/
1486	static int supR3HardenedVerifyDirRecursive(char *pszDirPath, size_t cchDirPath, PSUPR3HARDENEDFSOBJSTATE pFsObjState,
1487	bool fRecursive, PRTERRINFO pErrInfo)
1488	{
1489	#if defined(RT_OS_WINDOWS)
1490	/** @todo Windows hardening. */
1491	return VINF_SUCCESS;
1492
1493	#elif defined(RT_OS_OS2)
1494	/* No hardening here - it's a single user system. */
1495	return VINF_SUCCESS;
1496
1497	#else
1498	/*
1499	* Open the directory. Now, we could probably eliminate opendir here
1500	* and go down on kernel API level (open + getdents for instance), however
1501	* that's not very portable and hopefully not necessary.
1502	*/
1503	DIR *pDir = opendir(pszDirPath);
1504	if (!pDir)
1505	{
1506	/* Ignore access errors. */
1507	if (errno == EACCES)
1508	return VINF_SUCCESS;
1509	return supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1510	5, "opendir failed with ", strerror(errno), " on '", pszDirPath, "'");
1511	}
1512	if (dirfd(pDir) != -1)
1513	{
1514	int rc = supR3HardenedVerifySameFsObject(dirfd(pDir), pFsObjState, pszDirPath, pErrInfo);
1515	if (RT_FAILURE(rc))
1516	{
1517	closedir(pDir);
1518	return rc;
1519	}
1520	}
1521
1522	/*
1523	* Enumerate the directory, check all the requested bits.
1524	*/
1525	int rc = VINF_SUCCESS;
1526	for (;;)
1527	{
1528	pszDirPath[cchDirPath] = '\0'; /* for error messages. */
1529
1530	struct dirent Entry;
1531	struct dirent *pEntry;
1532	int iErr = readdir_r(pDir, &Entry, &pEntry);
1533	if (iErr)
1534	{
1535	rc = supR3HardenedSetErrorN(VERR_SUPLIB_DIR_ENUM_FAILED, pErrInfo,
1536	5, "readdir_r failed with ", strerror(iErr), " in '", pszDirPath, "'");
1537	break;
1538	}
1539	if (!pEntry)
1540	break;
1541
1542	/*
1543	* Check the length and copy it into the path buffer so it can be
1544	* stat()'ed.
1545	*/
1546	size_t cchName = suplibHardenedStrLen(pEntry->d_name);
1547	if (cchName + cchDirPath > SUPR3HARDENED_MAX_PATH)
1548	{
1549	rc = supR3HardenedSetErrorN(VERR_SUPLIB_PATH_TOO_LONG, pErrInfo,
1550	4, "Path grew too long during recursion: '", pszDirPath, pEntry->d_name, "'");
1551	break;
1552	}
1553	suplibHardenedMemCopy(&pszDirPath[cchName], pEntry->d_name, cchName + 1);
1554
1555	/*
1556	* Query the information about the entry and verify it.
1557	* (We don't bother skipping '.' and '..' at this point, a little bit
1558	* of extra checks doesn't hurt and neither requires relaxed handling.)
1559	*/
1560	rc = supR3HardenedQueryFsObjectByPath(pszDirPath, pFsObjState, pErrInfo);
1561	if (RT_SUCCESS(rc))
1562	break;
1563	rc = supR3HardenedVerifyFsObject(pFsObjState, S_ISDIR(pFsObjState->Stat.st_mode), false /fRelaxed/,
1564	pszDirPath, pErrInfo);
1565	if (RT_FAILURE(rc))
1566	break;
1567
1568	/*
1569	* Recurse into subdirectories if requested.
1570	*/
1571	if ( fRecursive
1572	&& S_ISDIR(pFsObjState->Stat.st_mode)
1573	&& suplibHardenedStrCmp(pEntry->d_name, ".")
1574	&& suplibHardenedStrCmp(pEntry->d_name, ".."))
1575	{
1576	pszDirPath[cchDirPath + cchName] = RTPATH_SLASH;
1577	pszDirPath[cchDirPath + cchName + 1] = '\0';
1578
1579	rc = supR3HardenedVerifyDirRecursive(pszDirPath, cchDirPath + cchName + 1, pFsObjState,
1580	fRecursive, pErrInfo);
1581	if (RT_FAILURE(rc))
1582	break;
1583	}
1584	}
1585
1586	closedir(pDir);
1587	return VINF_SUCCESS;
1588	#endif
1589	}
1590
1591
1592	/**
1593	* Worker for SUPR3HardenedVerifyDir.
1594	*
1595	* @returns See SUPR3HardenedVerifyDir.
1596	* @param pszDirPath See SUPR3HardenedVerifyDir.
1597	* @param fRecursive See SUPR3HardenedVerifyDir.
1598	* @param fCheckFiles See SUPR3HardenedVerifyDir.
1599	* @param pErrInfo See SUPR3HardenedVerifyDir.
1600	*/
1601	DECLHIDDEN(int) supR3HardenedVerifyDir(const char *pszDirPath, bool fRecursive, bool fCheckFiles, PRTERRINFO pErrInfo)
1602	{
1603	/*
1604	* Validate the input path and parse it.
1605	*/
1606	SUPR3HARDENEDPATHINFO Info;
1607	int rc = supR3HardenedVerifyPathSanity(pszDirPath, pErrInfo, &Info);
1608	if (RT_FAILURE(rc))
1609	return rc;
1610
1611	/*
1612	* Verify each component from the root up.
1613	*/
1614	SUPR3HARDENEDFSOBJSTATE FsObjState;
1615	uint32_t const cComponents = Info.cComponents;
1616	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1617	{
1618	bool fRelaxed = iComponent + 2 < cComponents;
1619	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1620	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1621	if (RT_SUCCESS(rc))
1622	rc = supR3HardenedVerifyFsObject(&FsObjState, true /fDir/, fRelaxed, Info.szPath, pErrInfo);
1623	if (RT_FAILURE(rc))
1624	return rc;
1625	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = iComponent + 1 != cComponents ? RTPATH_SLASH : '\0';
1626	}
1627
1628	/*
1629	* Check files and subdirectories if requested.
1630	*/
1631	if (fCheckFiles \|\| fRecursive)
1632	{
1633	Info.szPath[Info.cch] = RTPATH_SLASH;
1634	Info.szPath[Info.cch + 1] = '\0';
1635	return supR3HardenedVerifyDirRecursive(Info.szPath, Info.cch + 1, &FsObjState,
1636	fRecursive, pErrInfo);
1637	}
1638
1639	return VINF_SUCCESS;
1640	}
1641
1642
1643	/**
1644	* Verfies a file.
1645	*
1646	* @returns VBox status code, error buffer filled on failure.
1647	* @param pszFilename The file to verify.
1648	* @param hNativeFile Handle to the file, verify that it's the same
1649	* as we ended up with when verifying the path.
1650	* RTHCUINTPTR_MAX means NIL here.
1651	* @param fMaybe3rdParty Set if the file is could be a supplied by a
1652	* third party. Different validation rules may
1653	* apply to 3rd party code on some platforms.
1654	* @param pErrInfo Where to return extended error information.
1655	* Optional.
1656	*/
1657	DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile,
1658	bool fMaybe3rdParty, PRTERRINFO pErrInfo)
1659	{
1660	/*
1661	* Validate the input path and parse it.
1662	*/
1663	SUPR3HARDENEDPATHINFO Info;
1664	int rc = supR3HardenedVerifyPathSanity(pszFilename, pErrInfo, &Info);
1665	if (RT_FAILURE(rc))
1666	return rc;
1667	if (Info.fDirSlash)
1668	return supR3HardenedSetError3(VERR_SUPLIB_IS_DIRECTORY, pErrInfo,
1669	"The file path specifies a directory: '", pszFilename, "'");
1670
1671	/*
1672	* Verify each component from the root up.
1673	*/
1674	SUPR3HARDENEDFSOBJSTATE FsObjState;
1675	uint32_t const cComponents = Info.cComponents;
1676	for (uint32_t iComponent = 0; iComponent < cComponents; iComponent++)
1677	{
1678	bool fFinal = iComponent + 1 == cComponents;
1679	bool fRelaxed = iComponent + 2 < cComponents;
1680	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = '\0';
1681	rc = supR3HardenedQueryFsObjectByPath(Info.szPath, &FsObjState, pErrInfo);
1682	if (RT_SUCCESS(rc))
1683	rc = supR3HardenedVerifyFsObject(&FsObjState, !fFinal /fDir/, fRelaxed, Info.szPath, pErrInfo);
1684	if (RT_FAILURE(rc))
1685	return rc;
1686	Info.szPath[Info.aoffComponents[iComponent + 1] - 1] = !fFinal ? RTPATH_SLASH : '\0';
1687	}
1688
1689	/*
1690	* Verify the file handle against the last component, if specified.
1691	*/
1692	if (hNativeFile != RTHCUINTPTR_MAX)
1693	{
1694	rc = supR3HardenedVerifySameFsObject(hNativeFile, &FsObjState, Info.szPath, pErrInfo);
1695	if (RT_FAILURE(rc))
1696	return rc;
1697	}
1698
1699	#ifdef RT_OS_WINDOWS
1700	/*
1701	* The files shall be signed on windows, verify that.
1702	*/
1703	rc = VINF_SUCCESS;
1704	HANDLE hVerify;
1705	if (hNativeFile == RTHCUINTPTR_MAX)
1706	{
1707	PRTUTF16 pwszPath;
1708	rc = RTStrToUtf16(pszFilename, &pwszPath);
1709	if (RT_SUCCESS(rc))
1710	{
1711	hVerify = CreateFileW(pwszPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1712	RTUtf16Free(pwszPath);
1713	}
1714	else
1715	rc = RTErrInfoSetF(pErrInfo, rc, "Error converting '%s' to UTF-16: %Rrc", pszFilename, rc);
1716	}
1717	else
1718	{
1719	NTSTATUS rcNt = NtDuplicateObject(NtCurrentProcess(), (HANDLE)hNativeFile, NtCurrentProcess(), &hVerify,
1720	GENERIC_READ, 0 /HandleAttributes/, 0 /Options/);
1721	if (!NT_SUCCESS(rcNt))
1722	hVerify = INVALID_HANDLE_VALUE;
1723	}
1724	if (hVerify != INVALID_HANDLE_VALUE)
1725	{
1726	# ifdef VBOX_WITH_HARDENING
1727	uint32_t fFlags = SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING;
1728	if (!fMaybe3rdParty)
1729	fFlags = SUPHNTVI_F_REQUIRE_BUILD_CERT;
1730	const char *pszSuffix = RTPathSuffix(pszFilename);
1731	if ( pszSuffix
1732	&& pszSuffix[0] == '.'
1733	&& ( RT_C_TO_LOWER(pszSuffix[1]) == 'r'
1734	\|\| RT_C_TO_LOWER(pszSuffix[1]) == 'g')
1735	&& RT_C_TO_LOWER(pszSuffix[2]) == 'c'
1736	&& pszSuffix[3] == '\0' )
1737	fFlags \|= SUPHNTVI_F_RC_IMAGE;
1738	# ifndef IN_SUP_R3_STATIC /* Not in VBoxCpuReport and friends. */
1739	rc = supHardenedWinVerifyImageByHandleNoName(hVerify, fFlags, pErrInfo);
1740	# endif
1741	# endif
1742	NtClose(hVerify);
1743	}
1744	else if (RT_SUCCESS(rc))
1745	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
1746	"Error %u trying to open (or duplicate handle for) '%s'", RtlGetLastWin32Error(), pszFilename);
1747	if (RT_FAILURE(rc))
1748	return rc;
1749	#endif
1750
1751	return VINF_SUCCESS;
1752	}
1753
1754
1755	/**
1756	* Gets the pre-init data for the hand-over to the other version
1757	* of this code.
1758	*
1759	* The reason why we pass this information on is that it contains
1760	* open directories and files. Later it may include even more info
1761	* (int the verified arrays mostly).
1762	*
1763	* The receiver is supR3HardenedRecvPreInitData.
1764	*
1765	* @param pPreInitData Where to store it.
1766	*/
1767	DECLHIDDEN(void) supR3HardenedGetPreInitData(PSUPPREINITDATA pPreInitData)
1768	{
1769	pPreInitData->cInstallFiles = RT_ELEMENTS(g_aSupInstallFiles);
1770	pPreInitData->paInstallFiles = &g_aSupInstallFiles[0];
1771	pPreInitData->paVerifiedFiles = &g_aSupVerifiedFiles[0];
1772
1773	pPreInitData->cVerifiedDirs = RT_ELEMENTS(g_aSupVerifiedDirs);
1774	pPreInitData->paVerifiedDirs = &g_aSupVerifiedDirs[0];
1775	}
1776
1777
1778	/**
1779	* Receives the pre-init data from the static executable stub.
1780	*
1781	* @returns VBox status code. Will not bitch on failure since the
1782	* runtime isn't ready for it, so that is left to the exe stub.
1783	*
1784	* @param pPreInitData The hand-over data.
1785	*/
1786	DECLHIDDEN(int) supR3HardenedRecvPreInitData(PCSUPPREINITDATA pPreInitData)
1787	{
1788	/*
1789	* Compare the array lengths and the contents of g_aSupInstallFiles.
1790	*/
1791	if ( pPreInitData->cInstallFiles != RT_ELEMENTS(g_aSupInstallFiles)
1792	\|\| pPreInitData->cVerifiedDirs != RT_ELEMENTS(g_aSupVerifiedDirs))
1793	return VERR_VERSION_MISMATCH;
1794	SUPINSTFILE const *paInstallFiles = pPreInitData->paInstallFiles;
1795	for (unsigned iFile = 0; iFile < RT_ELEMENTS(g_aSupInstallFiles); iFile++)
1796	if ( g_aSupInstallFiles[iFile].enmDir != paInstallFiles[iFile].enmDir
1797	\|\| g_aSupInstallFiles[iFile].enmType != paInstallFiles[iFile].enmType
1798	\|\| g_aSupInstallFiles[iFile].fOptional != paInstallFiles[iFile].fOptional
1799	\|\| suplibHardenedStrCmp(g_aSupInstallFiles[iFile].pszFile, paInstallFiles[iFile].pszFile))
1800	return VERR_VERSION_MISMATCH;
1801
1802	/*
1803	* Check that we're not called out of order.
1804	* If dynamic linking it screwed up, we may end up here.
1805	*/
1806	if ( ASMMemIsAll8(&g_aSupVerifiedFiles[0], sizeof(g_aSupVerifiedFiles), 0) != NULL
1807	\|\| ASMMemIsAll8(&g_aSupVerifiedDirs[0], sizeof(g_aSupVerifiedDirs), 0) != NULL)
1808	return VERR_WRONG_ORDER;
1809
1810	/*
1811	* Copy the verification data over.
1812	*/
1813	suplibHardenedMemCopy(&g_aSupVerifiedFiles[0], pPreInitData->paVerifiedFiles, sizeof(g_aSupVerifiedFiles));
1814	suplibHardenedMemCopy(&g_aSupVerifiedDirs[0], pPreInitData->paVerifiedDirs, sizeof(g_aSupVerifiedDirs));
1815	return VINF_SUCCESS;
1816	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp@ 54375

Download in other formats: